Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
New-cwwk-connected to wifi for management
« previous
next »
Print
Pages: [
1
]
Author
Topic: New-cwwk-connected to wifi for management (Read 478 times)
wtiger127
Newbie
Posts: 5
Karma: 0
New-cwwk-connected to wifi for management
«
on:
November 01, 2024, 04:03:48 am »
Ok, hello everyone...so I am new to this forum and OPNsense.
I just got a cwwk device, which includes (2) SFP+ ports (I plugged in 2 1.25gb sfps for now) and (2) 2.5gb intel 226 ports.
Initially, I set this up with the 2.5gb ports as a 'transparent device' in bridge mode, only to find out I looked my self out when I deactivated the WAN/LAN ports IPs. So I got (2) SFPs and started the new install.
Install when well. SPFs set up as LAN/WAN interface, with LAN as DHCP and 192.168.1.1 default network. My laptop received a 192.168.1.100 address as I am connected right into the LAN port. GUI comes up and I can continue there.
And before I setup the bridge, I took one of the 2.5GB ports to be the MGMT port under assignment. I set-it up and with its own new static IP of 192.168.8.4. DHCP is OFF. this is because I plugged into a secondary WiFi router (tplink) under the LAN PORT.
The secondary TPLink router has LAN IP of 192.168.8.2 and DHCP ON from 192.168.8.100.
The idea is to plugin the OPFsense bridge WAN/LAN to my primary router and modem for traffic to go thru and I can have a way to connect to the secondary tplink router (wifi or LAN port) with my laptop and watch traffic or modify OPFsense as needed.
At the moment, I can access the OPNsense GUI connected directly to SPF(LAN) port with my laptop on same 192.168.1.1 network (also can type in 192.168.8.4) and reachable....BUT, when I try to connect directly to MGMT port with network 192.168.8.1, I cannot ping or open the OPNsense GUI on 192.168.8.4 (MGMT port assignment). I suspect something on GUI side needs to be checked On or Off for me to be on MGMT port and have GUI load. OR is a static route missing...not sure.
I also expected my laptop and MGMT port directly to secondary TPlink router under LAN ports should open OPNsense GUI, but it does not. both 8.4 and 1.1 time-out
I welcome any feedback..thank you
Logged
dseven
Sr. Member
Posts: 317
Karma: 34
Re: New-cwwk-connected to wifi for management
«
Reply #1 on:
November 01, 2024, 08:25:41 am »
You will need an inbound firewall rule on your MGMT interface to allow access. The default LAN interface comes with a "Default allow LAN to any rule", but any interface that you create does not.
Logged
EricPerl
Jr. Member
Posts: 91
Karma: 2
Re: New-cwwk-connected to wifi for management
«
Reply #2 on:
November 01, 2024, 08:01:16 pm »
I'm a little confused about the use of the 2nd router. I'm also not clear about where the other clients (the ones you want to watch) fit in.
You've done Router1 -> OPN-Bridge -> Router2 with additional MGMT interface on OPN, right?
And you plugged in OPN-MGMT into LAN of Router2 (given IP ranges)?
If you have the rest of your network plugged in Router1, OPN won't see it.
If it's plugged in behind Router2, OPN will see NATed traffic...
I initially used a transparent bridge. The MGMT interface was connected to the native network of Router1 (switch or router irrelevant).
Router1 -> OPN-Bridge -> main switch -> rest of the network (including VLANs).
Full visibility.
HTH
Logged
wtiger127
Newbie
Posts: 5
Karma: 0
Re: New-cwwk-connected to wifi for management
«
Reply #3 on:
November 02, 2024, 01:34:39 am »
@EricPerl
The idea of second router is so I don't need to go upto the OPNSense device and physically plug in a laptop to MGMT port watch traffic. Since the OPNsense is on my live network with No IPs (since ports are bind as bridge), then I need some other way to access the monitor view. There is where the MGMT port comes in with an IP that can plug-in a physical laptop. BUT I am just using the second router as wifi connection where both physical OPNsense MGT cable and physical primary network come together and I can remotely access thru wifi to monitor.
When I first set this up, I lost a way to watch traffic by removing the IP addresses. And so I started again and set the a physical MGMT port with same IP as my second router LAN. they are both on same 192.168.8.x network. The WAN side of second router is my primary network 192.168.7.x.
Not sure if my explanation makes sense.
I see the OPNsense documentation is showing to add and IP tot he bridge setup (instead of a 3rd physical port). Perhaps that's the way to go???
Logged
EricPerl
Jr. Member
Posts: 91
Karma: 2
Re: New-cwwk-connected to wifi for management
«
Reply #4 on:
November 02, 2024, 08:31:05 am »
If the MGMT port of the machine that acts as a bridge is connected to your primary network (with IP in the corresponding subnet), then you can access the OPNsense GUI from any machine on that primary network. Why does it have to be more complicated than that?
You definitely don't have to plug a machine directly in that port.
Logged
wtiger127
Newbie
Posts: 5
Karma: 0
Re: New-cwwk-connected to wifi for management
«
Reply #5 on:
November 02, 2024, 02:32:52 pm »
I am trying to wrap my mind around that....because the primary router is also a firewall with non-routable network IP of 192.168.7.x. I don't know how I would have a PC with say address 192.168.7.10, be able to traverse thru the WAN and connect to the OPNsense device (with no IP) before the modem.
...since there is no IP on the bridge once I finalize the config. Just WAN/LAN bridged with a new name device of WANLANBridge and no IP to attach too.
So this is why I though to have a true management port on OPNsense and reachable only by myself, is to setup a 3rd physical port (MGMT port).
My confusion may be that I am trying to set this up with a laptop directly to the OPNsense so as to NOT impact my internet connection before I introduce this change. Also, keeping in mind that I may want to do further changes and not lock out my primary connection and have to unplug this device and back to a 1-to-1 connection to try to resolve...again, with no IP will be difficult to attach to the device.
Logged
EricPerl
Jr. Member
Posts: 91
Karma: 2
Re: New-cwwk-connected to wifi for management
«
Reply #6 on:
November 02, 2024, 07:32:29 pm »
192.168.7.x is on the LAN side of the primary router, right?
All clients on the LAN side should have IPs in that range (assuming no VLANs), including the management port of the OPNsense box. All traffic on your LAN stays on your LAN. No routing is necessary. It's all switching. Traffic directed to the Internet (or whatever is on the "WAN" side of your primary router) is routed there.
Again, my physical setup was:
Internet -> Router -> OPNsense-Bridge -> main switch -> rest of the network (including VLANs).
The MGMT port of the OPNsense-bridge was connected to the switch. I could access the OPNsense GUI from any machine in the LAN by using the IP of the MGMT interface. Pretty simple. Using a 3rd port on the OPNsense box is definitely the easiest way.
I set up the bridge with WAN and LAN not connected at all.
Once I was ready, I inserted the bridge in between the router and the main switch (1 cable moved, one added to complete the chain), sanity checked that the network behaved from a few clients. Then I looked at what I could do on the bridge. If you're in a position to capture all traffic, you can do quite a bit.
If I had screwed up, all I had to do was to put back the cables where they were...
Logged
wtiger127
Newbie
Posts: 5
Karma: 0
Re: New-cwwk-connected to wifi for management
«
Reply #7 on:
November 03, 2024, 02:30:14 am »
Appreciate the feedback @EricPerl.
My setup is more..
at the moment..
Internet modem=>Primary router=>several physical network ports and 2-wifi ssids.
Primary router is a fortinet with 9 ports assigned to diff networks (no vlans).
If I setup..
Internet modem=>Primary router=>
OPNsense bridge
=>several physical network ports and 2-wifi ssids.
I wont be able to reach the bridge I don't think since no IP assigned...is a bridge.
and more importantly, I will not capture all traffic to all networks inside since they are all isolated.
Aiming setup....
Internet modem=>secondary router=>OPNsense bridge=>Primary router=>several physical network ports and 2-wifi ssids.
I figure easier to show in attached drawing.
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: New-cwwk-connected to wifi for management
«
Reply #8 on:
November 03, 2024, 10:08:32 am »
Are you sure you want that?
First off, what you claim to be aiming at in your text does not match your drawing.
If your drawing is what you are aiming for:
It is wise to have the OpnSense as the (only) central router and not have a primary router in front of it, creating a router-behind-router scenario. However, you create
new types of problems
if you re-use your existing router as a secondary router/AP/switch behind OpnSense, UNLESS that devices can be switched to a non-router, pure bridged mode. Otherwise, I would always use separate (manageable) switches and (pure) APs.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
EricPerl
Jr. Member
Posts: 91
Karma: 2
Re: New-cwwk-connected to wifi for management
«
Reply #9 on:
November 03, 2024, 10:10:40 pm »
The OP is using OPN as a bridge... I did the same as a learning step.
@OP:
Using a router just to access the bridge's MGMT interface seems overkill to but I give up.
That's your choice after all. I don't understand why you can plug the MGMT port in the LAN side of your primary router (network of your choice). You don't need to satisfy my curiosity ;-)
Accessing the Web GUI via the MGMT interface would be entirely contained to your LAN. It would NOT be traversing the Primary router nor the LAN interface of the bridge.
IMO, the biggest concern with that setup is that your bridge will only NAT traffic downstream from your router.
Matching that to LAN activity on your primary LAN is nearly impossible.
The physical network separation makes moving the bridge on the LAN side more difficult for sure.
Given cabling in my house, that wasn't an option anyway.
I use VLANs (better use of hardware) for isolation. This said, the bridge on the LAN side gave me visibiltiy into inter-VLAN traffic.
Logged
wtiger127
Newbie
Posts: 5
Karma: 0
Re: New-cwwk-connected to wifi for management
«
Reply #10 on:
November 07, 2024, 07:14:48 am »
Thank you again @Eric, and others for your input.
My primary router is a fortinet device. I only wanted to place the OPNsense(as a WAN/LAN bridge with SPI and no routing) between this fortinet and my internet modem to monitor/capture internet traffic. And I don't see any other way to capture all incoming/outgoing traffic, unless this device sits between the fortinet and OPNsense, since I use physical network ports (no vlans). I keep thinking plugging the OPNsesne as a bridge into my fortinet port will only capture that traffic under that port and not all other ports/networks in place.
My obsession for the secondary router (tp-link wifi with 4 gig ports), is to be able to look inside the OPNsense device's capture log that is outside my fortinet router and before the internet modem. I dont think is possible to create a FW rule from my fortinet(or any other primary router) to traverse outside its WAN port and look into the OPNsense's MGMT port I setup. I know I setup port-forward before for coming IN thru my fortinet to an internal network. Just never have done and out-going port forward or static-route.
I've been busy past days, but I am soon resuming this project again and see if I canmake it work.
thank you.
Logged
EricPerl
Jr. Member
Posts: 91
Karma: 2
Re: New-cwwk-connected to wifi for management
«
Reply #11 on:
November 08, 2024, 06:47:55 pm »
I'll assume for now that you keep the OPNsense bridge on the WAN side of your primary router.
I don't know how useful the outcome of monitoring that traffic will be. You'll find out by yourself.
Of course, you want to observe what's going on (outgoing NATed traffic, whatever incoming coming through your modem, whether it's going to be rejected by your primary router or not).
Thankfully you have a 3rd interface available to connect to the OPNsense box.
The connection via that 3rd interface is a very simple HTTPS connection (from a PC to the OPNsense box as web server). This is not different from connecting to this forum or the web interface of any machine on your local network.
I'd make sure you get a /32 static IP in any case.
One in rule to allow HTTPS.
You just need to establish that connection, and you have at least 3 options:
* connect physically to the management port of the OPNsense box with a machine that has a compatible IP address.
* connect the management port of the OPNsense box to the LAN side of your primary router (network of your choice, IP of the management interface set accordingly). Modulo the FW rule, any machine on your network can access it.
* bring up an entire new network with another router (or switch), which is a more complicated version of option 1.
I would connect the management port of OPNsense on the LAN side of that router (WAN is possible but there would only be 2 machines on that IP (MGMT port of OPNsense, WAN side of secondary router). If you have a Wi-Fi AP within that secondary network, you can obviously reach out this way.
Your primary router is not in the way of any of these connections...
«
Last Edit: November 11, 2024, 01:27:12 am by EricPerl
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
New-cwwk-connected to wifi for management